CVE-2021-21706

CVE-2021-21706

Name

CVE-2021-21706

Description

In PHP versions 7.3.x below 7.3.31, 7.4.x below 7.4.24 and 8.0.x below 8.0.11, in Microsoft Windows environment, ZipArchive::extractTo may be tricked into writing a file outside target directory when extracting a ZIP file, thus potentially causing files to be created or overwritten, subject to OS permissions.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
CONFIRM	https://bugs.php.net/bug.php?id=81420
Third Party Advisory	https://security.netapp.com/advisory/ntap-20211029-0007/

Type

URI

CONFIRM

https://bugs.php.net/bug.php?id=81420

Third Party Advisory

https://security.netapp.com/advisory/ntap-20211029-0007/

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
php81	edge-community	8.1.0_rc3-r0	None	fixed
php81	3.19-community	8.1.0_rc3-r0	None	fixed
php81	3.18-community	8.1.0_rc3-r0	None	fixed
php81	3.17-community	8.1.0_rc3-r0	None	fixed
php8	edge-community	8.0.11-r0	Andy Postnikov <apostnikov@gmail.com>	fixed
php7	edge-community	7.4.24-r0	Valery Kartel <valery.kartel@gmail.com>	fixed

Source package

Branch

Version

Maintainer

Status

php81

edge-community

8.1.0_rc3-r0

None

fixed

php81

3.19-community